How To Attach A USB To VM Via the USB Name?

Is there a way to attach a USB device to a VM using the USB device name (thru terminal)?

For this usage, I will use lsusb+qvm-usb, see How to use USB devices - CLI.

I’m trying to write a script that will work across all computers. I need a method that that doesn’t change from computer to computer.

The name of the USB is constant.

The DEVID isn’t.

Is there another way using the USB name (or some other constant)?

Given that the device ID dynamically changes depending on what is connected to your computer, you might consider piping the output of qvm-usb to grep to grab the current devid and use that in a subsequent command to make the connection. It might also get more complicated depending on the type of USB device attached (storage, camera, networking, etc). I seem to recall that mounting a block device is more secure when “attaching” a drive than a generic “USB passthrough”.

1 Like

It is complicated, but in low level exists ability to use Vendor ID and Product ID which are persistent.

Here is simple example (under R4.1)

  1. First you need to allow request from destination qube to sys-usb (in my example it is ‘work’) with VENDORID.PRODUCTID parameter, where each of them is in 0xHHHH format (four hex digits)
[user@dom0 ~] echo 'qubes.USB +0x06cb.0x00bd work sys-usb allow user=root' | sudo tee -a /etc/qubes/policy.d/30-user.policy
  1. Then, attach device with command
[user@dom0 ~] echo sys-usb 0x06cb.0x00bd | qvm-run -p -u root --service work qubes.USBAttach
1 Like

How do I get the VENDERID.PRODUCTID in Qubes?
Output of usb-devices in dom0 terminal isn’t showing any devices. lsusb isn’t showing anything either.
qvm-usb gives the DEVID and description.

Is there a separate command to get the vender & product id?

run lsusb
output:

	Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

(note: random example from internet)
the 1d6b:0002 is the VENDERID and PRODUCTID written in format of VENDERID:PRODUCTID

Thanks. For others who run into this problem: I was running lsusb in dom0. I had to attach to the target vm, then run lusb in the vm. Dom0 output: Nothing. Target vm output: gave the data. Suspect it has something to do with the sys-usb sandboxing.

This is the whole point of sys-usb: the USB devices should not go to dom0 and are isolated into a dedicated non-trusted VM.

Just run lsusb in sys-usb

1 Like

another one for ‘User Support’

RE: Syntax of this ^^^.
lsusb shows the device ID format as 0x06cb:0x00bd. (":", and not “.”). Is the colon replaced with a period?

…and sudo tee I can imagine is just logging the device use? (Qubes on this device doesn’t have that file.)

(For some reason the command isn’t attaching the USB, but also not throwing an error.)

it just logging the output to a file (man tee)

If this script doesn’t throw any errors, yet the USB doesn’t attach, what do you think I’m doing wrong?


#!/bin/sh
### params
### lsusb shows device as 05e3:0749
usb_device_id='0x05e3.0x0749'
usb_appVm='vault'
### start vm
qvm-start $usb_appVm
### attach USB to vm
echo 'qubes.usb +$usb_device_id $usb_appVm sys-usb allow user=root' 
echo sys-usb $usb_device_id | qvm-run -p -u root --service $usb_appVm qubes.USBAttach

Is the script attempting to attach the USB before VM is finished starting? Maybe there is an equivalent to --wait for starting a VM?

It might also be a good idea to include:

qvm-start $usb_appVM --skip-if-running

…so it doesn’t throw an error. Then try that with vault already running to make sure vault is ready for the USB

By the way… I’m not sure if that’s just an example VM name but it’s probably not a good idea to attach USB drives to trusted VMs like Vault

My personal preference is to use a disposable sys-usb VM for all USB data I/O operations. From there I might secure copy the data to a disposable isolated VM to clean up images, pdfs, etc. before securely moving files to store in vault. sys-usb is easily cleaned with a reboot and no trusted VMs are exposed to USB devices.

I usually limit attaching USBs to other VMs for things like security keys, yubikeys, 2FA etc. The only exception might be attaching a USB drive to another disposable VM.

1 Like

only on disposable sys-usb

Yes… I mentioned that. :slight_smile:

Thanks for the skip if running tag. I added it to the script.
I changed the vault to a throw away, isolated just for this USB.
I’ve tested with it started and with it shut down. It starts up just fine. It skips as it should when started.

It still doesn’t throw error, yet it doesn’t seem to attach the USB.
The USB has partitions.
Manually attaching the USB, and running lsusb exposed the partitions.
I added to the script to also attach the partitions.

It still doesn’t work. Any ideas?

Here’s what lsusb outputs when attached manually:

user@nja-vault:~$ lsusb
Bus 002 Device 002: ID 05e3:0749 Genesys Logic, Inc. 
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Here’s the script with the partiions added:

#!/bin/sh
### params
### lsusb shows device as 05e3:0749
usb_device_id='0x05e3.0x0749'
p1_id='0x1d6b.0x0002'
p2_id='0x1d6b.0x0003'
usb_appVm='nja-vault'
### start vm
qvm-start $usb_appVm --skip-if-running
### attach USB to vm
echo 'qubes.usb +$usb_device_id $usb_appVm sys-usb allow user=root' 
echo sys-usb $usb_device_id | qvm-run -p -u root --service $usb_appVm qubes.USBAttach
### for partitions
echo 'qubes.usb +$p1 $usb_appVm sys-usb allow user=root' 
echo sys-usb $p1 | qvm-run -p -u root --service $usb_appVm qubes.USBAttach
echo 'qubes.usb +$p2 $usb_appVm sys-usb allow user=root' 
echo sys-usb $p2 | qvm-run -p -u root --service $usb_appVm qubes.USBAttach

My example was for R4.1, is it your case? With R4.0 qubes-rpc request should modified. Take a look this doc.

This is a trick to write output with sudo rights. It creates policy to allow necessary qubes-rpc request, no needs to update it each time.